[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: AttributeSelector initial context as resource node
Consider adding an optional attribute on <AttributeSelector> to start at
the resource node instead of the <Content> element. This would only
have to be supported under a hierarchical profile. The attribute could
be named "ResourceContextPath", and would be used instead of
"RequestContextPath" when the evaluation should start from the node on
which a decision is wanted.
When writing policies for hierarchical resources, it is sometimes
convenient to express a condition based on the value of another node in
the request content, relative to the resource node on which the decision
is requested.
<AttributeSelector> only allows xpath expressions with initial context
of the <Content> request element.
For example, suppose the resource content looks like this:
<node xmlns="my-namespace">
<att name="att1">foo</att>
<node>
<att name="att1">foo</att>
<att name="att2">abc</att>
</node>
<node>
<att name="att1">bar</att>
<att name="att2">xyz</att>
</node>
</node>
I have a business rule that says no node with att1="bar" should have an
ancestor node whose att1="foo". (Conversely, no node with att1="foo"
should have a descendant with att1="bar". But I don't want a decision
on the ancestor, I want a decision for each descendant.)
I want decisions on all nested nodes, so my request will include the
appropriate scope and resource-id attributes for an xpath-expression
multi-resource request.
The problem is writing the rule. Nodes can be nested to any depth. The
rule can be stated as: "if the resource att1='bar', and any ancestor
node has att1='foo', then deny; otherwise permit". This goes directly
into a XACML Policy with two Rules. The essential parts of the policy
might look like this (using the proposed "ResourceContextPath" attribute
on AttributeSelector):
<Policy xmlns:mns="my-namespace"
RuleCombiningAlgId="...first-applicable">
<Target>
<AnyOf>
<AllOf>
<Match
MatchId="urn:oasis:names:tc:xacml:3.0:xpath-node-match">
<AttributeValue
DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression"
XPathCategory="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
>mns:node//mns:node</AttributeValue>
<AttributeDesignator
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
AttributeId="urn:oasis:names:tc:xacml:1.0:resource:xpath"
DataType="urn:oasis:names:tc:xacml:3.0:data-type:xpathExpression"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule RuleId="deny-bar-if-ancestor-foo" Effect="Deny">
<Target>
<AnyOf>
<AllOf>
<Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>bar</AttributeValue>
<AttributeSelector
ResourceContextPath="mns:att[@name='att1']
DataType="http://www.w3.org/2001/XMLSchema#string";
MustBePresent="false"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"/>
</Match>
<Match
MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue
DataType="http://www.w3.org/2001/XMLSchema#string";>foo</AttributeValue>
<AttributeSelector
ResourceContextPath="ancestor::mns:node/mns:att[@name='att1']"
DataType="http://www.w3.org/2001/XMLSchema#string";
MustBePresent="false"
Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
<Rule RuleId="permit-otherwise" Effect="Permit"/>
</Policy>
If there is another way to address this use case using existing XACML
features I would like to know about it.
--Paul Tyson
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]